Comment by lights0123
9 days ago
Most programs do encryption without syscalls! eBPF can intercept userspace execution, which they do as mentioned in the post:
> The key idea is to hook into common TLS libraries (like OpenSSL) before encryption and after decryption
I saw that, but Go doesn't use dynamically linked libraries for encryption, so I don't think it helps in this particular case.
If I want to do something similar, do you know where the relevant parts of the eBPF docs are?
Qtap scans binaries of processes as well known locations for OpenSSL on startup, then passes the offsets to eBPF where it hooks into the SSL_read and SSL_write to get the content before or after it's been encrypted.
This is the eBPF side: https://github.com/qpoint-io/qtap/blob/main/bpf/tap/openssl....
The Go side which indicates what we are scanning for is here: https://github.com/qpoint-io/qtap/blob/main/pkg/ebpf/tls/ope...
For more docs on the topic: - https://docs.ebpf.io/ is a must read - https://eunomia.dev/en/tutorials/30-sslsniff/ has a tutorial on cracking OpenSSL open and getting the content as well. The tutorials they have are fantastic in general